Date: Sun, 30 Jan 2005 21:57:35 GMT From: Tom Rhodes <trhodes@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 70005 for review Message-ID: <200501302157.j0ULvZw4087534@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=70005 Change 70005 by trhodes@trhodes_local on 2005/01/30 21:57:08 Add locking Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#78 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#78 (text+ko) ==== @@ -1,9 +1,11 @@ /*- + * Copyright (c) 2005 Tom Rhodes * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. + * It was later enhanced by Tom Rhodes for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by Network * Associates Laboratories, the Security Research Division of Network @@ -31,15 +33,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.24 2004/10/22 11:15:47 rwatson Exp $ + * $FreeBSD: /repoman/r/ncvs/src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.24 2004/10/22 11:15:47 rwatson Exp $ */ /* * Developed by the TrustedBSD Project. * "BSD Extended" MAC policy, allowing the administrator to impose * mandatory rules regarding users and some system objects. - * - * XXX: Much locking support required here. */ #include <sys/types.h> @@ -47,9 +47,11 @@ #include <sys/acl.h> #include <sys/conf.h> #include <sys/kernel.h> +#include <sys/lock.h> #include <sys/mac.h> #include <sys/malloc.h> #include <sys/mount.h> +#include <sys/mutex.h> #include <sys/proc.h> #include <sys/systm.h> #include <sys/sysproto.h> @@ -72,6 +74,8 @@ #include <security/mac_bsdextended/mac_bsdextended.h> +static struct mtx mac_bsdextended_mtx; + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0, @@ -145,16 +149,26 @@ return (EINVAL); index = name[0]; - if (index < 0 || index > rule_slots + 1) + if (index > MAC_BSDEXTENDED_MAXRULES) return (ENOENT); - if (rule_slots >= MAC_BSDEXTENDED_MAXRULES) - return (ENOENT); if (req->oldptr) { - if (rules[index] == NULL) + mtx_lock(&mac_bsdextended_mtx); + if (index < 0 || index > rule_slots + 1) { + mtx_unlock(&mac_bsdextended_mtx); + return (ENOENT); + } + + if (rules[index] == NULL) { + mtx_unlock(&mac_bsdextended_mtx); return (ENOENT); + } - error = SYSCTL_OUT(req, rules[index], sizeof(*rules[index])); + temprule = *rules[index]; + mtx_unlock(&mac_bsdextended_mtx); + + error = SYSCTL_OUT(req, &temprule, sizeof(temprule)); + if (error) return (error); } @@ -162,11 +176,15 @@ if (req->newptr) { if (req->newlen == 0) { /* printf("deletion\n"); */ + mtx_lock(&mac_bsdextended_mtx); ruleptr = rules[index]; - if (ruleptr == NULL) + if (ruleptr == NULL) { + mtx_unlock(&mac_bsdextended_mtx); return (ENOENT); + } rule_count--; rules[index] = NULL; + mtx_unlock(&mac_bsdextended_mtx); FREE(ruleptr, M_MACBSDEXTENDED); return(0); } @@ -178,20 +196,23 @@ if (error) return (error); + MALLOC(ruleptr, struct mac_bsdextended_rule *, + sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO); + mtx_lock(&mac_bsdextended_mtx); if (rules[index] == NULL) { /* printf("addition\n"); */ - MALLOC(ruleptr, struct mac_bsdextended_rule *, - sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | - M_ZERO); *ruleptr = temprule; rules[index] = ruleptr; - if (index+1 > rule_slots) - rule_slots = index+1; + if (index + 1 > rule_slots) + rule_slots = index + 1; rule_count++; } else { + mtx_unlock(&mac_bsdextended_mtx); + FREE(ruleptr, M_MACBSDEXTENDED); /* printf("replacement\n"); */ *rules[index] = temprule; } + mtx_unlock(&mac_bsdextended_mtx); } return (0); @@ -205,6 +226,8 @@ { /* Initialize ruleset lock. */ + mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF); + /* Register dynamic sysctl's for rules. */ } @@ -212,8 +235,10 @@ mac_bsdextended_destroy(struct mac_policy_conf *mpc) { + /* Destroy ruleset lock. */ + mtx_destroy(&mac_bsdextended_mtx); + /* Tear down sysctls. */ - /* Destroy ruleset lock. */ } static int @@ -225,6 +250,7 @@ /* * Is there a subject match? */ + mtx_assert(&mac_bsdextended_mtx, MA_OWNED); if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) { match = (rule->mbr_subject.mbi_uid == cred->cr_uid || rule->mbr_subject.mbi_uid == cred->cr_ruid || @@ -301,6 +327,7 @@ if (suser_cred(cred, 0) == 0) return (0); + mtx_lock(&mac_bsdextended_mtx); for (i = 0; i < rule_slots; i++) { if (rules[i] == NULL) continue; @@ -318,10 +345,12 @@ object_gid, acc_mode); if (error == EJUSTRETURN) break; - if (error) + if (error) { + mtx_unlock(&mac_bsdextended_mtx); return (error); + } } - + mtx_unlock(&mac_bsdextended_mtx); return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501302157.j0ULvZw4087534>